Password with real words (like Diceware) really safe?



  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member

    If you only reject the occasional word then it shouldn't have much of an effect. But it is important to re-roll the dice when you reject a word. You shouldn't look for the next acceptable word on the list. You need to re-roll the dice.

  • benfdcbenfdc Perspective Giving Member


    Can you see that post now? There was a glitch, but I think it has been straightened out with the assistance of AgileBits's always-excellent support team. :-)

  • DavidBDavidB Senior Member
    edited May 2014


    Yes--I can see all your posts now. Thank you for your help.

  • This seems like a good thread to add this: the number of recommended words is now up to six.

    "I had previously written that longer Diceware passphrases might be vulnerable by about 2014. Well it's 2014. Today criminal gangs probably have access to more computing power then the NSA did when this page first appeared. So I am upping my passphrase length advice by one word."



  • edited May 2014

    I'm assuming that that advice does not take into account the PBKDF2 scheme that 1Password uses to encrypt it's keys?

    @jpgoldberg‌ are 4 word pass phrases still acceptable for 1Password MPs?
    edit: No need to answer. Just noticed you already did so in the comments on the blogspot link. :)

  • khadkhad Social Choreographer

    Team Member
    edited May 2014

    Indeed, @RichardPayne‌! You've got it exactly right. :)

    For posterity, @jpgoldberg‌'s comment from the Time to add a word blog post:

    It is important to note how the passphrase is hashed. If, for example, something like scrypt is used or the hashing involves HMAC-SHA512, such as in PBKDF2-HMAC-SHA512 then GPUs don't do much for you.

    For example (shameless plug), extrapolating from the results that hashcat has achieved against the 1Password Master Password[1], a fleet of GPUs would still only be making on the order of 10s of thousands of guesses per second.

    [1]: Crackers report great news for 1Password 4

  • Hi All,

    since yesterday I'm reading the good blogpost and documentation from agilebits.
    And now I've I bit confused or concerndt about the entropy of my passwords.

    I've been using "randomly" created Passwords since decades for my login and other important stuff. So it is not hard for me to rember a 25 char password.
    I use a cmdline tool (mkpasswd / pwgen) which generates good passwords which are easy to rember for me.
    Example "Vici0caolua5Epae"
    But the entropy is not as high as I would expected, the structure of this Passwords is easy for me to rember. If I would use 1Password generated like "IpM9hTURjWgkonvM" it would be harder for me.

    Since I use serveral calls to pwgen and pick differnt "passwords" to combine my password and even alter chars, I've using always a different lenght between 10 up to 25 chars. So I'll guess it is still safe.

    So I ask my self is diceware safer then pwgen ? Since I've getting older "the availbilty " of the password in my mind is also a reason to think about.

    What option do you have ?

    Random Username

  • khadkhad Social Choreographer

    Team Member

    Hi @random_31731ec7aea‌,

    I've merged your post with this existing thread. As stated in our "Toward Better Master Passwords" blog post:

    The strength of a password creation system is not how many letters, digits, and symbols you end up with, but how many ways you could get a different result using the same system.

    At the moment, I don't know the system in use by the tool you are using, but Diceware is a fairly straightforward calculation. Please see my post #9 in this thread for a comparison between Diceware and 1Password's generator. For passwords you need to remember, we recommend Diceware.

    If you haven't already read it, you can read more about the math behind all this in our "Better Master Passwords: The geek edition" blog post.

    I hope that helps. Please let me know. :)

  • If someone knew the diceware word list I used, why couldn't they brute force every possible combination of the words in the list in which case "randomness" would be neutralized? What am I missing? Would it really take that long with today's processors?

  • benfdcbenfdc Perspective Giving Member
    edited August 2014

    Would it really take that long with today's processors?

    Yes it would, so long as you choose a passphrase of sufficient length (which depends upon the context). Diceware is based on rock-solid mathematics. However, Jeff suggests near the end of his Toward Better Master Passwords blog post that you might enhance your diceware passphrase by adding in a made-up "password" like 2dM&P. If that feels right to you, then do it. However, if you use identical or similar made-up passwords in all of your otherwise-random passphrases, the gain may not be as much as you would suppose.

  • @‌clive
    You could say exactly the same thing about normal passwords. If someone know the alphabet that I used to create my password (English is the most common language on the net so this is likely) then why couldn't they brute force every possible combination of the letters/numbers/symbols in the list?

    The answer is, of course, that they can, if they're willing to commit the necessary time and resources to the task.
    For the standard diceware list and a 6 word phrase, this would be 7776^6 = 2.2E23 possible phrases.
    Let's say that the diceware list averages 5 characters per word (I have no idea what it is, but this will do for an example), then the equivalent would be a 30 char password. Using upper and lower alphas, numerics and 10 common punctuation symbols we'd have 72 symbols so 72^30 = 5.2E55 possible passwords.

    So, if you simply look at length of password then a diceware password is weaker because there's a lot of redundant information. However, remembering 6 words is a hell of a lot easier than remembering 30 random chars.

    So the question is, is 2.2E23 choices strong enough? If @jpgoldberg‌'s quote that @khad mentioned a couple of posts up is correct then hashcat is trying 10s of thousands of password a second against the agilekeychain format. Let's give it the benefit of the doubt and say 100,000. That means that it would take:

    2.2E23 / 1E5 = 2.2E18 seconds = 69.7 billion years to scan the entire password space. Half that to get a 50% chance of a crack.
    I'd say that this is unlikely given that, as far as we know, the universe is only 13.5 billion years old. ;)

  • Im not sure but I think we should not be considering how many characters there are in a diceware generated password, since everyone who uses the system has the same 7,776 words. and they will try using combinations of only these words.

  • I mean some computers programs can try guessing passwords by trying only those 7,776 words, not all the characters combinations

  • edited August 2014

    You missed the point of what I said. For a 6 word phrase randomly chosen from the 7,776 word list you have 2.2E23 combinations. To brute force the whole list would taken 7 billion years @ 1 million guesses per second (very fast against a PBKDF2 hashed password). Average crack time would therefore be about 3.5 billion years.
    Not something to worry about really provided you use a decent length pass phrase.

    Based on the above assumptions, average crack times are:

    6 words = 3,500,000 years
    5 words = 450,000 years
    4 words = 57 years
    3 words = 1.9 days

This discussion has been closed.